On-Site Training Proposed Schedule
Introduction to Digital Forensics
| |
DAY ONE
|
DAY TWO
|
| 7:30 a.m. - 8:00 a.m. |
Registration - Breakfast Pastries |
Breakfast Pastries |
| 8:00 a.m. - 9:20 a.m. |
Computer Forensics and Investigations
This section will introduce the participant to the field of computer forensics and how it can be used in criminal, civil and administrative matters.
This section covers:
- Understanding computer forensics
- A brief history of computer forensics
- Computer forensic resources
- Understanding law enforcement agency investigations
- Understanding corporate investigations
|
Computer Forensics Analysis
This section reviews how data is stored on a typical Windows XP computer system. The basis file structure will be viewed in an actual forensic setting as the instructor demonstrates the forensic analysis the file structure of the previously created image.
This section covers:
- Exploring the basic Microsoft XP File system
- User accounts
- Deleted files
- Hidden files
|
| 9:20 a.m. - 9:35 a.m. |
Break |
Break |
| 9:35 a.m. - 10:55 a.m. |
Preparing a Computer Forensic Investigation
This section shows the investigator how to recognize, plan for and manage a computer investigation.
This section covers:
- Assessing the case
- Planning the investigation
- Gathering and securing the evidence
- Required tools and skills
- Completing the case
|
Recovering Files
This section discusses and analyzes a computer system showing the investigator how to find deleted files, pictures, compressed files, and relevant documents. The investigator will be shown how to save and export the information in a report format.
This section covers:
- Recognizing file types
- Locating and recovering images and files
- Locating data in unallocated areas
- Building a computer user’s timeline
|
| 10:55 a.m. - 11:10 a.m. |
Break |
Break |
| 11:10 a.m. - 12:30 p.m. |
Processing Crime and incident Scenes
This section guides the investigator through search and seizure scenarios. It includes corporate and law enforcement situations as well as overt vs. covert searches.
This section covers:
Corporate Investigations
- Chain of custody
- Corporate evidence collection and storage
- Preparing for a search
- Identifying computer users and their systems
- Seizing vs. imaging (copying) onsite
- Using additional technical expertise
- Determining the types of tools needed
Law enforcement
- Evidence collection and storage
- Preparing for a search
- Search warrant terminology
- Identifying computer users and their systems
- Seizing vs. imaging onsite
- Using additional technical expertise
- Determining the types of tools needed
- Critical legal issue involving authors and the media
|
Computer Forensic Analysis
This section shows the investigators how to locate and analyze the Internet history found on a computer.
This section covers:
- Internet Explorer
- Locating and extracting the data.
- The value of the data
- Date and time issues
- Commons software tools used to analyze the data.
- Exporting the results into a report format
Email Investigations
This section shows the investigator how to recognize and identify different e-mail systems found on today’s computers. The class will be shown how to extract and analyze that information.
This section covers:
- AOL e-mail
- Outlook Express e-mail
- Mozilla Thunderbird e-mail
- Outlook
- E-mail headers
|
| 12:30 p.m. - 1:30 p.m. |
Group Lunch |
Lunch on Your Own |
| 1:30 p.m. - 2:50 p.m. |
Digital Evidence Controls
This section discusses how to handle digital evidence legally and properly. This topic is applicable to criminal, civil, and administrative cases. The objective for the investigator is legally and appropriately collecting all relevant digital data without harming or altering data that could cause the investigator to lose the case.
This section covers:
- Identifying digital evidence
- Time and date stamps
- Understanding evidence rules
- Understanding the fragile nature of the evidence
- Securing digital evidence at the scene
- Inventorying and storing evidence
- Evidence retention
|
Forensic Tools and Software—Forensic labs
This section discusses the different tools available to today’s investigators. These range from free software to listservs and organizations willing to assist the computer forensic examiner with advice and help. The second half of the section will touch on equipment and lab settings.
This section covers:
- Types of computer forensic tools
- Software
- Computer forensic organizations
- Listservs
- Computer equipment
- Certification
- Lab security
|
| 2:50 p.m. - 3:05 p.m. |
Break |
Break |
| 3:05 p.m. - 4:25 p.m. |
Data Acquisition: Making Forensically Sound Images of Digital Media
This section covers a live demonstration showing the students how to make a forensic image of a common computer hard drive.
This section covers:
- Making an image using common hardware/software based imaging techniques
- Identifying cables and drive types
- Making an actual image
- Various imaging tools available
|
Reports and Courtroom Testimony
This section discusses the importance of writing a computer forensic report that is detailed yet understandable to judges, juries, attorneys, and the layperson. The topic will also discuss preparing for court testimony.
This section covers:
- Limiting the report to specifics
- Types of reports
- Writing reports clearly
- Helping your attorney
- Documenting and preparing evidence
- Current legal issues
|